Topic-specific policies
ISO/IEC 27404


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

Published end of Oct ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy Cybersecurity labelling framework for consumer IoT [first edition]

 

Abstract

“[ISO/IEC 27404] defines a cybersecurity labelling framework for the development and implementation of cybersecurity labelling programmes for consumer IoT products. It provides requirements and includes guidance on the following topics:
    • Risks and threats associated with consumer IoT products;
    • Stakeholders, roles and responsibilities;
    • Relevant standards and guidance documents;
    • Conformity assessment;
    • Labelling issuance and maintenance;
    • Mutual recognition.
       

    [ISO/IEC 27404] is limited to consumer IoT products, such as: IoT gateways, base stations and hubs to which multiple devices connect; smart cameras, televisions, and speakers; wearable devices; connected smoke detectors, door locks and window sensors; connected home automation and alarm systems; connected appliances, such as washing machines and fridges; smart home assistants; and connected children’s toys and baby monitors.

    Products that are not intended for consumer use are excluded from this standard. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes.

    [ISO/IEC 27404] is applicable to consumers, developers, issuing bodies of cybersecurity labels and conformity assessment bodies.”

[Source: ISO/IEC 27404:2025]
 

Introduction

Although cybersecurity is seldom promoted as a feature of consumer-oriented IoT devices (things), it can be important. Inconsistent and unclear cybersecurity labelling does not help consumers appreciate their security and privacy objectives, nor evaluate and select things accordingly. Standardising the cybersecurity labelling of things is intended to improve consistency across the global market, increase consumer awareness and promote better cybersecurity designs.

 

Scope of the standard

The standard concerns consumer-grade (retail) things - as opposed to business, industrial, engineering, medical, scientific or mil-spec things (since their cybersecurity requirements and features/capabilities are more likely to be specified in detail).

It covers cybersecurity and privacy but excludes safety aspects.

 

Content of the standard

The main sections are:

  1. Overview of cybersecurity labelling for consumer IoT
  2. International alignment through a cybersecurity labelling framework
  3. Requirements and guidance for the components of the cybersecurity labelling framework for consumer IoT
  4. Requirements and guidance for labelling issuance and maintenance for consumer IoT

    5. Annex A - types and features of cybersecurity labels

    Annex B - illustrative examples of multi-level labelling schemes

    Annex C - illustrative examples of binary labelling schemes

    Annex D - determination of equivalency among labelling schemes

    Annex E - examples of cybersecurity baseline provisions

    Annex F - examples of secure-by-design provisions

    Annex G - examples of privacy assessment requirements

     

Status

Published end of Oct The first edition was published in October 2025.

 

Personal comments

Singapore standard TR 91:2021 Cybersecurity labelling for consumer IoT formed the original basis for this standard, with editorial changes to suit the more formal ISO/IEC style.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2025 IsecT Ltd. Contact us re Intellectual Property Rights